Implementation principle of steam token verification code

users who have used steam should be familiar with this problem. Steam tokens are equivalent to secondary authentication. When you log in to an unfamiliar device or make a transaction, you need to enter the verification code in the token for secondary verification.

what I am curious about is that even if the app is not connected to the Internet, the CAPTCHA on the mobile token is connected to the server Synchronize, that is, if the user is disconnected from the phone"s network, entering the CAPTCHA on the token can still achieve the effect of secondary verification.

I have not come into contact with this knowledge. I would like to know about it. I hope the gods can provide some ideas.

Mar.20,2021

should be a sequence calculated according to time. The use of
tokens probably needs to be not too different from the server time in order to, Q Q secure mobile phone tokens. No, no, no.


such tokens are usually based on TOTP , something like this: truncate HMAC (key, (current timestamp-initial timestamp) / timestep) .

only when the token is being created, the server and the client negotiate the key and the initial timestamp, and the subsequent client only needs to change the current timestamp to generate the token according to the time. If the time step is set to 60 seconds, a token can be generated every 60 seconds.

of course, Steam tokens also have letters, so it's definitely not a standard TOTP implementation, and the principle should be similar.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e47c28-43739.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e47c28-43739.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?